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Palo Alto Networks at a Glance 



Corporate highlights 



Founded in 2005; first customer shipment in 2007 
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Experienced technology and management team 

1 ,000+ employees globally 

App-ID: redefined the core classification of traffic for 
firewalling and threat prevention 

EAL4+ Certified 



Enterprise customers 
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Real-World Data Sources 



Application Usage and Threat 

Report 

(evaluation networks) 

• 3,056 live networks 

• 12.6 Petabytes of data 

• 5,303 unique threats observed 

• 264 Million threat logs 



Modern Malware Review 
(customer networks) 

• 26,000 unknown malware 
samples 

• 1 ,000+ live networks 

• 3 months of data 

• Full malware lifecycle 
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Evolution of Users, Applications and Threats 



The Traditional Model - Open "good" ports, then block known "bad" things 



Positive Control Phase 
•Allow only needed applications 
•All traffic classified equally 
•Traditionally based on port 



Negative Control Phase 

•Selectively block known bad 
payloads 

•Exploits, malware 
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Positive Controls Must Advance 

Positive classification is the classification 
that we apply equally to all traffic 
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Challenges to Port-Based Classification 



568 

Applications that can use 
non-standard ports. 

260 



Applications that can tunnel 
other apps and protocols 



82 



Applications designed 
to avoid security 
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Non-Standard Ports 

- Evasive Applications - Standard application behavior 

- Security Best Practices - Moving internet facing protocols off of 
standard ports (e.g. RDP) 

Tunneling Within Allowed Protocols 

- SSLandSSH 

- HTTP 

- DNS 

Circumventors 

- Proxies 

- Anonymizers (Tor) 

- Custom Encrypted Tunnels (e.g. Freegate, Ultrasurf) 
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Challenges to Port-Based Classification 

flSOO Non-Standard Ports 

^^^^^^ Evasive Applications - Standard application behavior 

Applications that can use Security Best Practices - Moving internet facing protocols off of 
non-standard ports. standard ports (e.g. RDP) 




"Ok, but how often do applications 
do this in the real world?" 


Based on 3,000 live enterprise evaluation 
networks: 

- SSL - 4,740 ports 

- Skype - 27,749 ports 
BitTorrent - 21 ,222 ports 
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Non-Standard Ports and Malware 

Based on a 3 month study of fully undetected malware 
collected by WildFire 

■ 26,000+ malware samples from 1 ,000+ networks 

FTP was the most evasive application observed* 

■ 95% of unknown samples delivered via FTP were never 
covered by antivirus. 

■ 97% of malware FTP sessions used non-standard 
ports, and used 237 different non-standard ports. 



Web-browsing delivered more malware, but was less 
evasive. 

■ 1 0% of samples delivered over 90 different non- 
standard web ports 




E 

■ 
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xample: Sample 0-Day Malware 

Unknown traffic traversing the DNS port 
HTTP random high ports 










To Port Application 


Action 


Rule Bytes 


3099 web-browsing allow 


561 1 


iTime 




\ Action 


Rule 


Bytes 


23345 web-browsing allow 


test 


401.9 Kl 


.4:54:36 
.4:54:24 


end 
end 


\ allow 


test 


561 


23345 web-browsing 


175.B Kl 


^ v allow 


test 


401.9 K 


.4:54:23 
.4:53:43 


end 
end 


SO web-browsing allow 


test 659; 


\ allow 


test 


175J8 K 


\ allow 


test 


659 


SO web-browsing allow 


test 659| 


.4:53:43 
.4:53:43 


end 
end 


\ allow 
) allow 


test 


659 


SO web-browsing allow 


test 659! 


test 


659 


.4:53:43 


end 


SO web-browsing allow 


test 659; 


/ allow 


test 


659 


.4:53:42 


end 


/ allow 


test 


659 


SO web-browsing allow 


test 659 J 


,4:53:42 


end 


/ allow 


test 


659 


.4:53:42 


end 


SO web-browsing allow 


test 659 1 


,' allow 


test 


659 


.4:53:39 
4:53:39 


end 
end 






/ allow 


test 


62 


53 unknown-Lid p allow 


test 62 1 


,' allow 


test 


62 


.4:53:38 


end 


allow 


test 


62 


4:53:38 

.4:53:38 


end 

end 


53 unknown-udp allow 




,' allow 


test 


659 


rest rest isi.itjB.iBu.i 


i*-^. sL-^iL. £iU. O-^t 


53 unknown-udp allow 


test 


62 


.4:53:38 


end test test 192.168.180.1 


94.242.250.64 


53 unknown-udp allow 


test 


62 


.4:53:38 


end test test 192.168.180.1 


94.242.25D.64 


53 unknown-udp allow 


test 


62 



HTTP Session over non-standard port -> Payload 



Stream Content 



SSS999G/ 1 , SSS999G/aa 1 , SSS9990/aa2 , SSS9990/Z , 



GET /a/BBB999GI/l HTTP/ 1.1 

Accept : w/w 

Accept- Encoding : gzip, deflate 

User- Agent: Mozilla/4.G [compatible; MSIE 6.Q; Windc 

" ist: updateswin . zi gg . me : 23345 

mnectxon: Keep- Alive 
Cache- Control : no- cache 

HTTP/1. 1 200 OK 

Server: nginx/l.O.O 

Date: Man, Q2 Apr 2Q12 07:32:42 GMT 

Content -Type : application/octet- stream 

Content - Length : 106496 

Last- Modified: Mon, 02 Apr 2012 00:30:21 GMT 

Connection: keep- alive 

Accept- Ranges : bytes 

MZ @ 



NT 5.1; SV1; .NET CLR 2.0.50727) 



DOS mode. 



.L.IThis program cannot be 



text. . . .1 P 

~ @ - - @l - 

[J MSVBVMSO . DL 
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Entire conversation (397165 bytes) 



H 



^Find | Eg Save As | ^Print | o ASCII O EBCDIC O Hex Dump O C Arrays m Raw 



Siielp 



ElFilter Out This Stream 



XCIose 
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Any Traffic Not Fully Inspected = Threats Missed 



• The Rule of All 

- All traffic must be inspected equally 

- Full-stack analysis must be the 1 st step 

- All traffic, all ports, all the time 

• Progressive Inspection 

- Decode - application and protocol decoders 
must be used to progressively open tunnels 

- Decrypt - Targeted based on policy 

- Decompress - Files (e.g. ZIP) and traffic 
(gzip) 
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Applications ± Good or Bad 


Attacks » Payloads 
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Application Spotlight - Web Proxies 



The Enterprise 


The User 


The Bad Guy 


^ 

mil 




Ml 
in 




W~} 




Mostly Good 

•Helps enforce policy, and 
provides a layer of threat 
prevention. 

•Nasty habit of breaking 
applications © 


Mostly Bad 

•Used to circumvent security 
policy 

•Open web proxies, 
anonymizers, Tor 


Very Bad 

•Leveraged for outbound C2 

•Hides the location of the 
attacker 

•Pay for use darknets (custom 
version of Tor) 
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Application Spotlight - Remote Desktop 



The Enterprise 


The User 


The Bad Guy 


■ill 
nil 




in 
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Mostly Good 

•Administer datacenter 
applications 

•Remote IT support 

•Danger: Often leaves open 
tunnels 


Mostly Bad 

•Used to circumvent security 
policy 

•RDP sessions are encrypted - 
connect to home and surf 
anything you want 


Very Bad 

•Remote management of an 
owned machine 

•Standard tool of APTs 

•See Verizon DBIR and Mandiant 
reports 
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Application Spotlight - File Transfer 



The Enterprise 


The User 


The Bad Guy 


nillll 

mil 




n 






H 




Good 

•P2P applications for transferring 
large distros 

•Collaboration applications 
(Sharepoint) 

•Asset management (Dropbox) 


Unknown 

•Dropbox and Sharepoint to do 
work 

•P2P and MEGA for downloading 
illegal movies (and malware) 


Bad 

•Delivery of secondary payloads 
(FTP, HTTP, IM, etc) 

•Heavy use of non-standard 
ports 

•Theft of data 
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Example: TDL-4 

■ Extension of earlier malware, a.k.a Alureon, TDSS, TDL 

■ Named "the indestructible botnet" due to the ability protect itself from 
takedowns/takeovers 


Infection 

•Any (outsourced to 
affiliates) 

•Drive-by-Downloads 
easily the most 
common 


Persistence 

•Infects MBR 
•32/64 bit rootkits 


Communication 

•Proprietary 
encryption 

•Tunneled within SSL 

•Sells proxy as a 
service 


Command & 
Control 

•Kad P2P network 

•C&C servers 

•Proxy through 
infected hosts 




20+ Programs Used 

Malicious apps, Fake AV, Spam, Adware, etc 





Context is Key 






■ Standardize on Approved Applications 






- There are hundreds of instant messaging clients. 




User 


- Standardize on 1 or 2 and tightly control the rest. 




-A^A. 


■ Integrate Context of the User 


Application ^ 


m mm Feature 


- P2P and RDP should only be used by IT, all others 
deny 


1 


■ Control Features Within the Application 


Time 


| ^k Country 


- Hundreds of applications can transfer files 




File Type 


- Block those that don't need it (e.g. IM, Webex, etc) 






■ Allow But Investigate 






■ Selectively decrypt social media and web-mail to look 
for malware activity 
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Control High-Risk Applications 



What to Do 


Why Do It 


Block (or limit) peer-to-peer applications 


Malware infection vector, malware C2 
channel, data theft 


Block anonymizers such as Tor 


Malware C2, APT tool, evasion tool 


Only allow approved proxies, investigate or block others 


Malware C2, APT Tool, Evasion Tool 


Strictly control the use of remote desktop 


APT tool, evasion tool 


Block encrypted tunnel applications such as UltraSurf 


Evasion tool, malware C2 


Block any unneeded applications that can tunnel other 
applications 


Opens the door to evasion or tunneled 
threats 


Review the need for applications known to be used by malware 


Introduces unnecessary risk 



Unknowns Are A Part of the Attack 



Test and Verify Must Become Standard Procedure 
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Attackers Customize All Phases of the Attack 



Custom 


Custom 


New 


Applications 


Payloads 


Domains 


Custom UDP 


Custom Malware 


New Domains 


• Extremely common C2 


• Thriving market for fully 


• New domains with no 


and signaling traffic 


undetectable malware 


reputation used to 


Custom TCP 




deliver and control 


• C2, secondary 


Polymorphic Malware 


malware 


payloads, and data 


• Malware modified to 




exfiltration 


change the filename or 




• P2P, IM, streaming 


hash value 




protocols are common 






targets 
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Actively Test Unknown Files 



Execute unknown files to reveal malware based on actual behavior 
Feed back results into all phases of threat prevention 




Malware URL 
Filtering 



C&C 
Signatures 
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Most Commonly Observed Malware Network Behaviors 



Contained unknown TCP/UDP traffic 

Visited an unregistered domain 

Sent out emails 

Used the POST method in HTTP 

Triggered known IPS signature 

IP country different from HTTP host 
TLD 

Communicated with new DNS server 

Downloaded files with an incorrect 

file extension 

Connected to a non standard HTTP 

port 

Produced unknown traffic over the 

HTTP port 




2.33% 

Visited a recently registered domain 1 -87% 

.56% 
J 0.47% 



Visited a known dynamic DNS Jq 5 
domain 



Visited a fast-flux domain 



• Investigate and classify any unknown 
traffic 

• No file downloads from unknown 
domains 

• No HTTP posts to unknown domains 

• No email traffic not to the corp email 
server 



Source: Palo Alto N 
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Controlling Unknowns in the Lifecycle 



Goals 


Comments 


Classify and investigate any unknown traffic 


• Requires full-stack positive control 

• Write custom App-IDs for internally developed applications 

• Investigate users generating unknown traffic 

• Block unknown traffic from high value areas 


Enforce tight controls over unknown or low 
reputations domains 


• Prevent the download of files from new/unknown domains 

• Investigate or block HTTP-POST to new/unknown domains 

• Investigate or block dynamic DNS or flux domains 


Verify SSL and block custom encryption 


• Failed SSL decryption often a sign of malware 

• Block custom encrypted tunnels when possible 

• Limit point to point encryption to known systems 


Sandbox unknown files to identify new malware 


• Actively run files in a virtual environment 

• Must ensure full access to the Internet 

• Be prepared for VM -aware malware 
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An Approach to Preventing Cyberthreats 



Applications 



Context 



Known Threats 



Unknown Threats 



•Visibility and control of 
all traffic, across all ports, 
all the time 



•Evaluate risk in context 
of user, application, URL, 
and file type 



•Stop exploits, malware, 
spying tools, and 
dangerous files 



•Automatically identify 
and block new and 
evolving threats 



Reducing Risk 



•& 



•Reduce the attack surface 

•Control the threat vector 

•Control the methods that 
threats use to hide 
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Sites known to host 
malware 

Find traffic to command 
and control servers 

SSL decrypt high-risk 
sites 



NSS tested and 
Recommended IPS 

Stream-based 
anti-malware based on 
millions of samples 

Control threats across 
any port 



WildFire analysis of 
unknown files 

Visibility and automated 
management of unknown 
traffic 

Anomalous behaviors 
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Questions, thoughts, or feedback? 
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